The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidance and best practices for securing virtual private network (VPN) solutions.
VPNs, an important security tool in an era of widespread remote work, are entry points into secured networks that bad attackers frequently try to use in malicious assaults. Because of VPNs’ vulnerabilities – a recent example involved a massive leak of Fortinet users’ passwords – a number of security vendors have been pushing zero trust network access as a potential replacement for VPNs.
The Sept. 28 NSA-CISA document (PDF download) urges buyers to use standards-based VPNs from vendors with a track record of swiftly addressing known vulnerabilities and using strong authentication credentials. The VPN can be further hardened through authentication and strong cryptography configuration, enabling the most essential features, and protecting and monitoring access to and from the VPN. What might be most striking about the document is how many security steps and solutions it takes to properly secure VPN connections.
Nation-state advanced persistent threat (APT) actors have used VPN device vulnerabilities for credential harvesting, remote code execution, traffic hijacking, data leaking, and to compromise the security of encrypted traffic sessions. According to the document, these effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well.
Choosing a VPN
The guide offers a number of issues to consider and pitfalls to avoid when choosing a VPN.
- Selecting non-standard VPN solutions, such as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, is a bad idea. These solutions include special, non-standard capabilities to tunnel traffic using TLS. Even if the TLS parameters used by the products are secure, using custom or non-standard features exposes you to additional danger. NSA and CISA propose standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs that have been evaluated against standardized VPN security requirements.
- Read the vendor documentation carefully to make sure that products support IKE/IPsec VPNs. Some product documentation may be lacking in detail on the protocols that they support for establishing VPN tunnels. Avoid products that do not explicitly state which standards they adhere to or that claim to use proprietary methods to establish VPNs.
- When an IKE/IPsec VPN cannot be established, determine whether the product employs SSL/TLS in a proprietary or non-standards-based VPN protocol. Recognize the scenarios that could lead to IKE/IPsec discussions failing. If possible, disable the SSL/TLS proprietary or non-standards-based VPN fallback.
- Make sure that any potential products employ FIPS-validated cryptographic modules and that they may be set to only use approved cryptographic algorithms.
- Examine whether a product offers strong authentication credentials and protocols by default, as opposed to weak credentials and protocols. Use multi-factor authentication and choose products that are compatible with the credentials you’ll be using.
- Investigate and choose a provider who has a track record of supporting products with regular software updates and speedy fixes for identified flaws. Ascertain that support duration covers the product’s complete expected usage lifetime, and replace the product before it reaches end-of-life.
- Request and validate a product’s Software Bill of Materials (SBOM) in order to determine the risk of the underlying software components. Because many vendors utilize obsolete versions of open-source software in their products, many of which have known vulnerabilities, this risk must be managed carefully.
- Ensure that the product has a reliable way for validating the integrity of its own code, and that code validation is performed on a frequent basis. VPN gateways are frequent targets for an attacker as a security device on a network’s perimeter. It is often impossible to identify intrusions without the capacity to confirm a device’s integrity.
- Recognize the dangers of not being able to inspect the product independently. Some VPN providers encrypt devices in such a way that fast incident response is impossible. Products that do not allow the product owner to fully check the item pose an added risk, and can lead to the manufacturer becoming a product support bottleneck. Delays in the incident response procedure may give sophisticated actors enough time to hide their tracks.
- Examine the device’s additional characteristics in light of your company’s risk tolerance. While many extra features, such as remotely accessible administrative pages or web-based access to internal services, can be beneficial, they also pose a danger since they expand the product’s attack surface, which is frequently targeted and exploited by adversaries. Choose products that focus on safeguarding the core VPN operation and don’t include a lot of extra features, or at the very least, make sure that extra functions can be turned off and, ideally, are turned off by default.
- Ensure that the product has anti-intrusion features such as:
- Signed binaries or firmware images
- A safe boot procedure that validates boot code before it is executed
- Validation of runtime programs and files for integrity
Hardening a VPN
Once you’ve settled on VPN, you need to configure it so it’s as safe as possible. The NSA and CISA document recommended the following steps to further harden the VPN against compromise.
Cryptography and Authentication
Only use strong cryptographic methods, algorithms, and authentication credentials that have been approved, the agencies said.
- The algorithms in the NSA-Approved Commercial National Security Algorithm (CNSA) Suite must be used by National Security Systems (NSS). Non-NSS U.S. government systems must employ NIST-specified algorithms, which include those approved to safeguard NSS. Other systems should employ the cryptographic methods specified in the CNSA Suite.
- Disable SSL/TLS VPN capability and fallback settings if possible, and configure the VPN to use IKE/IPsec.
- Use trusted server certificates for server authentication and update them on a regular basis, such as annually. Self-signed and wildcard certificates should be avoided since they should not be trusted or are trusted for an excessively broad scope.
- Use client certificate authentication if it is available. It’s a stronger type of authentication than utilizing passwords, and may be supported by some VPN solutions for remote customers attempting to access the VPN, for example, by using a smartcard. Use client certificate authentication whenever possible so that the VPN doesn’t allow connections from clients who don’t have valid, trustworthy certificates. Use other supported kinds of multi-factor authentication if client certificate authentication is not available to prevent bad actors from authenticating with compromised passwords.
Reduce the Remote VPN Attack Surface
- Apply fixes and updates as soon as possible to mitigate known vulnerabilities that are frequently – and often quickly – exploited.
- External access to the VPN device should be limited by port and protocol.
- Allowlist recognized VPN peer IP addresses and ban all others if possible. Note that if unknown peer IP addresses are expected to access the VPN, this may be difficult.
- Disable complex features and non-VPN-related capabilities that are more likely to be vulnerable.
- Using a VPN, restrict access to the management interface. Malicious cyber actors who gain access to administrator credentials may attempt to log in to administration interfaces and take privileged actions. Allowing VPN administrators to access the management interface over a remote access VPN is not recommended; instead, administrative access should be limited to specialized internal management networks. Investigate any attempts to access the remote access VPN using administrator credentials.
Protect and Monitor VPN Access
- Inspect session negotiations and detect unauthorized VPN traffic with an intrusion prevention system deployed in front of the remote access VPN.
- Using web application firewalls (WAFs) is a good idea. When possible, work with WAF and VPN providers to test compatibility.
- Enable enhanced web application security. Some remote access VPN solutions may include capabilities for increased web application security, such as the fraudulent reuse of users’ past session information to overcome authentication, to prevent compromise attempts against VPN web apps. When these features are available, turn them on.
- Use suitable network segmentation and access controls to restrict access to only those services that are required remotely. When determining access decisions, consider other factors (such as device information, the environment of the originating access request, the strength of credentials, and access path dangers).
- Enable local and remote logging to record and track VPN user activities, including login and access attempts, configuration changes, and network traffic metadata. Monitor and analyze all logs for unauthorized access, malicious configuration changes, abnormal network activity, and other indicators of penetration on a regular basis.
Further reading: